The 10 Immutable Laws of Security – Revisited

The “10 Immutable Laws of Security” was an essay published by the Microsoft Security Response Center in 2000. Since the time it was published, attack methods have become significantly more complex and diverse. Likewise, the methods we use to counter such attacks have become more sophisticated. So, let’s revisit the 10 Immutable Laws of Security and see they still apply to current security paradigm.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

In other words, if you choose to run a program on your computer, that program can theoretically do anything you can do, whether it’s editing documents, sending emails, executing a virus, or creating a back-door for subsequent transgressions. I think it is fair to say that the first law still holds true today, as human error is not something software developers can solve.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

If an attacker gains access to your operating system, they can basically do anything they please. Sure, you can password protect your system files and registry; however, the attacker will still be able to modify protected objects on your computer.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

Should an attacker gain physical access to your computer they could cover it with Pokémon stickers, update your Facebook status, and spill a glass of Lucozade on the keyboard. There are various locks, alarms and cases that can help you protect your machine. If it’s a laptop, there are tracking devices which can take photos of the attacker using the built-in camera, and even wipe the data if necessary. However, such tools do not necessarily invalidate law 3, as an attacker can still potentially break the case/lock, remove your hard-disk and copy your files to a different location. But what if you encrypted your hard-drive and used a set of keys stored on an external device, such as a dongle, to decrypt the hard-drive? Well, this would certainly make it very hard (not impossible) for the attacker to gain access to your data. So, would this scenario invalidate law 3? Well, not really.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

So basically, if a hacker is able to upload a program to your web server and execute it, you’re in trouble. For example, he could deface you home page and use it for broadcasting inappropriate material, or anything else he would not want to be associated with. Assuming he is able to execute the uploaded file, he could even take control of the underlying OS. When a website is defaced, it’s often the case where the owner simply replaces the home page, believing they have solved the problem. However, if a hacker was able to deface your website, it’s important to consider what else he might have done.

There was a time when browsers were riddled with security holes, and when simply visiting a compromised website could infect the visitor’s computers. These days, browsers are much more secure, and so this is unlikely to happen. Of course, hackers can still convince users to download and execute software on their own machines, in which case, there’s nothing that can be done. There are many websites that allow users to upload and share software, however, these sites have safeguards in place which ensure that a user will not get infected just by visiting the site. So with the exception of certain website’s that allow users to upload and share applications, law 4 still appears to hold true.

Law #5: Weak passwords trump strong security

This is fairly self-explanatory. It’s typically recommended that your password contains at least 6 characters – including letters, numbers and symbols – both uppercase and lowercase. It is also recommended that users change their password every 30 to 60 days. These days, website owners have the option to use smart-cards, fingerprint and retina scanners as additional means of user identification.

Law #6: A computer is only as secure as the administrator is trustworthy

Again, this law is self-explanatory. After all, the administrator has control over everything. Assuming we are talking about the administrator of a company, a rogue admin could sell sensitive data, broadcast inappropriate content from the company’s server, snoop on private emails etc. This law is as true now as it was when the article was written. See ‘How to spot a rogue systems admin’ for more information.

Law #7: Encrypted data is only as secure as the decryption key

It’s often the case where people store cryptographic keys (associated with their encrypted data) on their computer, and while the keys are usually obfuscated, they can still be found with relative ease. It would be much more secure to store such keys offline, or on a separate device.

#Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

A virus scanner can only scan for the viruses it knows about, as they scan for certain characteristics that are known in advance. Yet, new viruses are created every day. It’s obviously very important to keep your anti-virus software up-to-date; however, this is a dated law, as these days it’s not just viruses we have to contend with, but also ransomware, worms, spyware, adware, malware (including fake anti-malware software), keystroke loggers, rootkits etc.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

If you visit a website, it’s theoretically possible, with a bit of work, for the owner to figure out who you are. There are certain measures you could take to help mask your identity. For example, you could use network address translation to mask your IP address, use internet cafes, libraries or other ISP accounts. It’s also worth noting that there are new and interesting technologies emerging that focus on privacy and security. One such example is the SAFE network. I guess you could say it’s an entirely new internet, only it is built using a radically different architecture than the current web. The network is decentralised, and both data storage and transmissions are encrypted end-to-end. On top of which, users don’t have IP addresses as such. I won’t go into a lengthy explanation about how the SAFE network works, as it is beyond the scope of this article. For more information visit maidsafe.net. Regardless of such technological innovations, if someone wants to find out who you are, the chances are, with a bit of work, they can.

Law #10: Technology is not a panacea

The moral of the story is that technology alone is not sufficient in addressing the many security threats and concerns that exist in the world today. In fact, as our methods of dealing with security threats become more sophisticated, the focus of attacks shift towards the fallible nature of human beings.